online populist

February 16, 2010

Populist Politics

The web changes how public disputes are contested. Inexpensive web 2.0 publicity disrupts the balance of power.

Internet Bank Robbery - The Facts

After computer thieves stole [Krebs] $200,000 from the bank account of Hillary Machinery Inc., the company demanded reimbursement from its bank, PlainsCapital Bank. The bank refused. Thus began one of the most gripping cases in the history of computer security law . . . and a lesson in how to use the Internet as a populist podium . . .

Apparently the investigation of the heist has not determined conclusively how the hackers succeeded in tricking the bank to transmit money out of the account. Each party believes the forensic investigation proves it is blameless.

The Law On Internet Bank Robberies

The legal relationship between Hillary and the bank is largely governed by Uniform Commercial Code Article 4A and the banking agreements signed between the parties. In a case like this, an essential issue is whether the bank employed commercially reasonable security procedures when it acted upon what purported to be electronic payment instructions from Hillary. The bank maintains that its security was reasonable, and therefore it need not reimburse the money.

As this dispute escalated, Hillary might have sued, possibly in Texas state court or possibly in federal court.

But the bank seized the legal initiative. It sued Hillary in federal court! The bank may have calculated that a federal court would review this complex, technical case more thoughtfully than a state court. So it preempted from Hillary the option to sue in state court.

From the federal court, the bank seeks an affirmation that its security was reasonable. In essence, the bank said Hillary had called into question the integrity of the bank's operations, and the bank is entitled to clear its name by way of litigation.

The bank is forcing Hillary to spend money on lawyers, quite possibly hoping Hillary will decide this quarrel is too expensive, too much trouble and will settle and shut up. From the perspective of traditional litigation strategy, the bank is probably in a stronger position because it can afford to spend much more on lawyers and technical experts to fight the case.

Internet as Populist Bullhorn

This is an unusual lawsuit. But it has taken an even more remarkable twist. Instead of cowering, Hillary has gone on the publicity warpath. On its primitive web page, Hillary complains noisily about the bank and its security.

It started working with other interested and knowledgeable parties, and is shouting from the virtual rooftops, “Can you believe this? Hackers stole $200,000 from my bank account, and then my bank sued ME!” That's one newsy sound bite.

Hillary has attracted quite a few news stories (including in the Dallas Morning News and the Denver Post), much of it favorable to Hillary. The most sensational is a TV report on Fox Business, which is posted on the web. Hillary of course points to many of these reports from its web site.

What's more, Hillary affiliates appear to be posting pointed comments on web discussion threads. When a popular Dallas news blog wrote an unrelated story about PlainsCapital, someone apparently associated with Hillary posted a comment saying (paraphrase) “Thieves stole money from our PlainsCapital account, and then PlainsCapital hauled us into court!” linking to the Fox Business video. [Another example: see the second comment, from Amanda, below this post.]

Someone who appears to be the spouse of a Hillary co-owner vocally discusses the case in an online forum, complaining about the bank and pointing to the media reports.

This controversy between Hillary and the bank now dominates the Wikipedia page about the bank. Can this be good for the bank?

In the public comments to a key blog article on the lawsuit, one observer sympathetic to Hillary finds that the bank has published a job posting for a wire transfer risk specialist. The observer suggests, yeah, they need someone with those skills! The actions of this "observer" (Is he or she affiliated with Hillary? A volunteer? Who knows.) give the impression that the public is rallying to Hillary's aid.*

The bank hasn't said much to defend itself in public. The bank's tight-lipped approach (“our lawsuit speaks for itself”) hasn't played well. There is no way all this chatter on the web has been good for the bank's reputation. The damage to the bank's image could far exceed $200,000.

Hillary is a reasonable-size mom and pop business ($35 million in 2008 annual sales). PlainsCapital ($4.4 billion in assets) is much larger. The bank's old-style approach – let our lawyers do our talking – seems to have enabled populist underdog Hillary to land some blows on its opponent.

Although many details about this case are known to the public, many are not. We don't know, for instance, everything about the security or insecurity of Hillary's computers or whether the bank had offered Hillary some additional security procedures that Hillary declined to use. (An example of additional security might be sms text messages to cell phones of Hillary officials as each and every event transpires within the bank account.) The bank may have a stronger story here than it has revealed so far.

Cyber Publicity is Faster Than a Lawsuit

But as things are going now, the bank may not have a good chance to tell its side of this cybertheft story. Internet-driven public opinion may solidify long before the bank can explain.

Talking on the web (Hillary's approach) is fast and cheap. Talking through lawyers in the courtroom (the bank's approach) is slow and expensive.

Publicity is different today than it was a few years ago. In the past, an unflattering report might appear on TV or in a newspaper, and then it was gone and few would remember. But media reports today live persistently on the web. Months-or-years-old reports can show up when prospective customers google “PlainsCapital Bank.”

This squabble is not over. But as of February 16, 2010, little Hillary seems to have exploited the web as an asymmetrical weapon against a larger adversary.

Update: Resolution May 2010

Hillary and Plainscapital settled their their lawsuit, and agreed to keep the terms confidential. The settlement came two days after the court rejected motions by Plainscapital that the case go to arbitration; Plainscapital apparently wanted arbitration because it felt a public trial was less likely to deliver it a net benefit. It is hard for me to conclude that this lawsuit was good for Plainscapital. The bank started the lawsuit. The bank's apparent goal was to clear its name and reputation. The bank did not achieve its goal.

–Benjamin Wright

Mr. Wright teaches IT security law at the SANS Institute, where he stresses how critical public communications (policies, notices, banners, warnings, contracts, subpoenas, interviews, social media, press releases, declarations in court and much more) are to effective cyber defense, negotiations and investigations.

* Gadzooks. Notice how easily a grumpy member of the public was able to dig up a choice detail about PlainsCapital (its job posting for a risk specialist) and link to it from a well-trafficked location with an unfavorable comment. The world did not operate this way a few years ago. Organizations like PlainsCapital live in more of a fishbowl today than they once did. Organizations must re-calibrate how they make and maintain their public images.

[Note: Since I originally posted this article, Hillary Machinery and its affiliates have contacted me and asked that I correct a couple of factual errors. Based on what they said and what I read elsewhere on the web, I have revised my article here. If anyone believes that I have made a mistake here or any other place, I ask that person to telephone me promptly at 1.214.403.6642.]

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.